从1.11.3升级到1.12.1,查看kubernetes日志,发现报错:
journalctl -f -u kubelet.service
经过查询资料,发现是1.12因为在v1.12中的kubelet 的AttachVolumeLimit导致的,禁用
AttachVolumeLimit
master机器上,在kubelet启动时禁止AttachVolumeLimit,增加参数:
--feature-gates=AttachVolumeLimit=false增加后:
[root@master ~]# vim /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
#--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest
ExecStart=/opt/kube/bin/kubelet \
--address=192.168.2.10 \
--allow-privileged=true \
--anonymous-auth=false \
--authentication-token-webhook \
--authorization-mode=Webhook \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--cluster-dns=10.68.0.2 \
--cluster-domain=cluster.local. \
--cni-bin-dir=/opt/kube/bin \
--cni-conf-dir=/etc/cni/net.d \
--fail-swap-on=false \
--feature-gates=AttachVolumeLimit=false \
--hairpin-mode hairpin-veth \
--hostname-override=192.168.2.10 \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--max-pods=110 \
--network-plugin=cni \
--pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.1 \
--register-node=true \
--root-dir=/var/lib/kubelet \
--tls-cert-file=/etc/kubernetes/ssl/kubelet.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kubelet-key.pem \
--v=2
#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问
ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
~
~
~
~
~
~
~
"/etc/systemd/system/kubelet.service" 43L, 1617C 已写入
重新加载服务:
[root@master2 ~]# systemctl daemon-reload
[root@master2 ~]# sudo systemctl restart kubelet再次查看日志已经没有报此错误。